Hide Navigation Hide TOC

S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)

S.O.V.A. is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. S.O.V.A., which is Russian for "owl", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Adversary-in-the-Middle - T1638 (08e22979-d320-48ed-8711-e7bf94aabb13)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6)	Attack Pattern	1
Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
Screen Capture - T1513 (73c26732-6422-4081-8b63-6d0ae93d449e)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
SMS Control - T1582 (b327a9c0-e709-495c-aa6e-00b042136e2b)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174)	Attack Pattern	1
System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
Network Denial of Service - T1464 (d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
Input Injection - T1516 (d1f1337e-aea7-454c-86bd-482a98ffaf62)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
Data Encrypted for Impact - T1471 (d9e88203-2b5d-405f-a406-2933b1e3d7e4)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	1
Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3)	Attack Pattern	1
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
Transmitted Data Manipulation - T1641.001 (74e6003f-c7f4-4047-983b-708cc19b96b6)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	1
S.O.V.A. - S1062 (4b53eb01-57d7-47b4-b078-22766b002b36)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	Suppress Application Icon - T1628.001 (f05fc151-aa62-47e3-ae57-2d1b23d64bf6)	Attack Pattern	2
Impair Defenses - T1629 (20b0931a-8952-42ca-975f-775bad295f1a)	Attack Pattern	Prevent Application Removal - T1629.001 (dc01774a-d1c1-45fb-b506-0a5d1d6593d9)	Attack Pattern	2
Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	Software Packing - T1406.002 (51636761-2e35-44bf-9e56-e337adf97174)	Attack Pattern	2
Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	2
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	Web Protocols - T1437.001 (2282a98b-5049-4f61-9381-55baca7c1add)	Attack Pattern	2
Indicator Removal on Host - T1630 (0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d)	Attack Pattern	Uninstall Malicious Application - T1630.001 (0cdd66ad-26ac-4338-a764-4972a1e17ee3)	Attack Pattern	2
Transmitted Data Manipulation - T1641.001 (74e6003f-c7f4-4047-983b-708cc19b96b6)	Attack Pattern	Data Manipulation - T1641 (c548d8c4-a0a3-4a24-bb79-2a84abbc7b36)	Attack Pattern	2
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2